Previous Section Table of Contents Next Section

Querying Domain Information

Querying domain information by using the LDAP provider is easy. Connect to the domain and simply use the Get method, along with the desired attribute name.


Dim objDomain

objDomain = GetObject("LDAP://dc=domain,dc=com")

WScript.Echo objDomain.Get("minPwdAge")

Of course, you need to know the attribute names that you want to query. Some of the interesting domain LDAP attributes include

  • pwdHistoryLength. The number of old passwords the domain remembers for each user.

  • minPwdLength. The minimum number of characters per user password.

  • minPwdAge. The minimum number of days a user must keep his password.

  • maxPwdAge. Maximum number of days a user may keep his password.

  • lockoutThreshold. The number of tries you have to guess a password before the account is locked out.

  • lockoutDuration. How long a password is left locked out.

  • lockOutObservationWindow. The time window during which the lockoutThreshold number of wrong password attempts will cause an account lockout.

  • forceLogoff. Forces account logoff when account restriction time expires.

You can explore more of the domain's attributes by examining the domain and domainPolicy classes in the AD schema; I'll describe how to view the attributes associated with a class later in this chapter.

Querying this information by using the WinNT provider is remarkably similar, although the attributes' names do change somewhat. Here's an example.


Dim objDomain

objDomain = GetObject("WinNT://DOMAIN")

WScript.Echo objDomain.Get("MinPasswordAge")

As you can see, the syntax is virtually identical, with the ADSI connection string and the attribute name being the only differences.

If you're an advanced Active Directory (AD) user, you can also work directly with the domain's root object, configuration partition, and schema partition. To do so, simply connect directly to the appropriate object.


Dim objRoot, objConfig, objSchema, objRootDomain



'get the forest root domain:

Set objRoot = GetObject("LDAP://rootDSE")

Set objRootDomain = GetObject("LDAP://" & _

 objRoot.Get("rootDomainNamingContext"))



'get the configuration partition

Set objConfig = GetObject("LDAP://" & _

 objRoot.Get("configurationNamingContext"))



'get the schema partition

Set objSchema = GetObject("LDAP://" & _

 objRoot.Get("schemaNamingContect"))

I'm not going to cover scripting operations that modify the configuration or schema partitions; doing so is pretty dangerous stuff, and it's not the sort of thing you do so frequently that you're likely to need to automate it.

    Previous Section Table of Contents Next Section